[英]Host unreachable inside Docker container
I've got a docker container on host 183.83.83.83
The A record of a subdomain mycontainer.example.com points to this IP.我在主机183.83.83.83
上有一个183.83.83.83
容器 子域 mycontainer.example.com 的 A 记录指向这个 IP。
A curl to 183.83.83.83
or mycontainer.example.com
gives HTTP status 200 and the correct website.到183.83.83.83
或mycontainer.example.com
curl 会给出 HTTP 状态 200 和正确的网站。
However the same curl from inside every container on that host (to both the IP or hostname above) fails to connect:但是,来自该主机上每个容器(到上面的 IP 或主机名)的相同 curl 无法连接:
curl: (7) Failed to connect to mycontainer.example.com port 80: Host is unreachable
This doesn't happen when trying this from a Docker container from another host or from the host itself.从另一个主机的 Docker 容器或主机本身尝试此操作时不会发生这种情况。
What is going wrong here?这里出了什么问题?
EDIT: More details: The host runs an Nginx-proxy container which proxies all requests to mycontainer.example.com
to my frontend container (running a React application through a little node webserver).编辑:更多细节:主机运行一个Nginx 代理容器,它将所有对mycontainer.example.com
请求代理到我的前端容器(通过一个小节点网络服务器运行一个 React 应用程序)。 The frontend container is supposed to proxy all API requests from mycontainer.example.com/api
to mycontainer.example.com:1337/api/v1
.前端容器应该将所有 API 请求从mycontainer.example.com/api
代理到mycontainer.example.com:1337/api/v1
。 However it can't proxy the API requests because I get the error Host is unreachable
from inside all containers running on this host.但是,它无法代理 API 请求,因为我收到错误Host is unreachable
从该主机上运行的所有容器内部Host is unreachable
。
I know it is an old question but for anybody coming here, the solution, at least on Linux, is to allow incoming network packets to host from docker bridge network by modifying the iptables
of the host as following:我知道这是一个老问题,但对于任何来到这里的人来说,至少在 Linux 上,解决方案是通过修改主机的iptables
来允许传入的网络数据包从 docker 网桥网络托管,如下所示:
sudo iptables -I INPUT -i docker0 -j ACCEPT
It translates to accept all incoming network packets on host from docker bridge network (assuming it is docker0) ie traffic from docker containers.它转换为从 docker 桥接网络(假设它是 docker0)接收主机上所有传入的网络数据包,即来自 docker 容器的流量。
Here are the details:以下是详细信息:
-I INPUT means to insert a netfilter rule for incoming packets to host
-i docker0 means packets from docker0 interface of the host
-j ACCEPT means accept all packets since a protocol is not defined it implies that packets of any protocol are welcome.
Refer to iptables --help
and netfilter website for more details.有关更多详细信息,请参阅iptables --help
和netfilter网站。
The more current approach of using FirewallD would be to execute the following commands:使用 FirewallD 的最新方法是执行以下命令:
firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --reload
Fedora 32 switched the backend for the firewall from iptables to nftables. Fedora 32 将防火墙的后端从 iptables 切换到 nftables。 I didn't find how to fix things with nftables, however I found how to switch back to iptables.我没有找到如何使用 nftables 解决问题,但是我找到了如何切换回 iptables。
While the following commands don't look like best practice, they work for me.虽然以下命令看起来不像最佳实践,但它们对我有用。
sudo sed -i 's/FirewallBackend=nftables/FirewallBackend=iptables/g' /etc/firewalld/firewalld.conf
sudo systemctl restart firewalld docker
Source: https://dev.to/ozorest/fedora-32-how-to-solve-docker-internal-network-issue-22me来源: https : //dev.to/ozorest/fedora-32-how-to-solve-docker-internal-network-issue-22me
Here my solution:这是我的解决方案:
if command -v firewall-cmd > /dev/null; then
NIC=$(ip addr | grep {{docker.network.host.ip}} | awk '{ print $7 }')
echo "Trusting NIC \"${NIC}\"..."
sudo firewall-cmd --permanent --zone=trusted --change-interface=${NIC} \
&& sudo firewall-cmd --reload \
&& sudo systemctl restart firewalld \
|| exit $?
fi
I had this issue trying to change a docker-compose network, to fix I deleted all unused networks.我在尝试更改 docker-compose 网络时遇到了这个问题,为了修复我删除了所有未使用的网络。
docker network ls
<- this will list you networks docker network ls
<- 这将列出您的网络
DO NOT DELETE THOSE:不要删除这些:
NETWORK ID NAME DRIVER SCOPE
970599083e1f bridge bridge local
dddff9d5ec3e host host local
15a80e0436c2 none null local
docker network rm <ID|NAME>
<- this will delete a network docker network rm <ID|NAME>
<- 这将删除一个网络
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.